This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm looking at a pcap, with the 3-way handshake already done. After an initial file is sent, the sequence number is 4887. The client sends another TCP packet with the SYN flag, which prompts another 3-way handshake. This resets the sequence numbers back to 1, as seen in the packet capture file. However, immediately after when the client asks for another file, the sequence number goes back to what it started as before, plus a few more, to 5321.

Why does the sequence number shoot back up to 5321, when it was reset back to 1?

asked 20 Aug '14, 15:00

FireShark's gravatar image

FireShark
6113
accept rate: 0%


You need to isolate TCP connections to track sequence numbers. You cannot compare them across multiple connections. Use the pop up menu to select conversation filters -> TCP on a packet to isolate the connection.

permanent link

answered 20 Aug '14, 15:03

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks! I didn't notice that although it was the same IP address, a different connection was being made on a new port.

(20 Aug '14, 16:10) FireShark
1

One minor comment on this - Wireshark by default uses relative sequence numbers starting from 0 for each TCP session, for easy human readability and math. The reality is that the sequence number in the packet is probably much greater than 0 in both cases, so it's not "dropping back" to 0, but rather analyzing that it's a second TCP session with a new set of sequence numbers which Wireshark will assign new relative numbers for, starting at 0.

(20 Aug '14, 19:23) Quadratic
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×55
×39
×16

question asked: 20 Aug '14, 15:00

question was seen: 3,709 times

last updated: 20 Aug '14, 19:32

p​o​w​e​r​e​d by O​S​Q​A